Sandworm Team Could Be Behind Ukraine Power Grid Attack

The suspected cyber-attack on the Ukrainian power grid by Russian hackers could be the work of the Sandworm Team, according to researchers.

iSIGHT Partners told Infosecurity that it believes that the Sandworm Team, which previously targeted US and European SCADA systems in 2014, is likely to blame if the BlackEnergy malware is found to be behind the attack, which we previously reported.

BlackEnergy is the malware of choice for the group, and renewed BlackEnergy activity has been uncovered throughout the past year in Ukraine, affecting government, telecommunications and energy sector organizations in the country. During Ukrainian elections for instance, BlackEnergy malware was allegedly used in destructive attacks against Ukrainian media.

But Sandworm has been busy in other arenas as well. “iSIGHT first reported on aggressive Sandworm activity targeting the energy sector in 2014—heavily using BlackEnergy malware,” a spokesperson told us. “ISIGHT believes the activity is Russian in origin and the intrusions they carried out against US and European SCADA systems were reconnaissance for attack.”

ISIGHT noted that it has very limited evidence that the recent destructive attacks against Ukraine did indeed involve the BlackEnergy malware: iSIGHT knows the malware was found on the same system in one instance. However, if it is shown that the bug is behind the attacks, it would point to a likely attribution.

“If BlackEnergy malware was indeed leveraged in this attack, iSIGHT believes this is Sandworm Team, or a related Russian operator, the same group tied to the events which hit US critical systems in 2014,” the company noted.

Reuters reported that that a Western Ukraine power company said that part of its service area, including the regional capital Ivano-Frankivsk, was left without power due to "interference" in its industrial control systems. The energy ministry in Kiev said that it has set up a special commission to investigate what happened.

Ukraine's SBU state security service blamed its neighbor, noting in a statement that it had thwarted malware that was wielded by "Russian security services.” The Kremlin has yet to comment on the allegation.